Squidguard on 2.0 final



  • i used squidguard in 1.2x to 2.0rc whiteout any issue. My config use whitelist, and times.

    After upgrade to 2.0 (if squidguard upgrade too or only reinstall i don't know for sure) i have strange issue.
    Times don't work anymore, and i can't understand why.
    I check my config but nothing strange is come out.

    Bug in squidguard binary? bug in config generations? I can't figure out.

    If i click apply on off time (es from 12 to 13) all affected computer ignore whitelist (correct), but after 13 whitelist remain ignored (wrong).
    If i click apply on on time (es after 13) all affected computer use whitelist (correct), but again, in offtime whitelist remains (wrong).

    prior 2.0 final i have no issue at all

    please help me to figure out this problem :(



  • Check you pfsense system time.



  • @dvserg:

    Check you pfsense system time.

    off course i already checked



  • Show you squidGuard settings.



  • Any solution on this… I am having the same issues...

    here is my post: http://forum.pfsense.org/index.php/topic,41777.0.html



  • After a great deal of digging, I've found a solution to this.

    Everything is working as it should per the setup in pfSense.  That said, the defaults in the php code the create the configuration file are probably incorrect these days.  Historically this probably wouldn't have made a significant difference.  It also probably wouldn't be noticed in transparent proxies, depending on how they show the error.

    SquidGuard sends a 301 (permanent) redirect instead of a 302 (temporary) redirect.  Modern browsers cache 301's because they can per the standards.

    Depending on your time setup, if a site is being blocked and you are in a time config where it should be allowed, deleting the browser cache/history/etc and reloading will show the page works.  That is until it goes into a 'deny' time again where the browser re-caches the 301.

    This can be fixed by editing:

    ee /usr/local/pkg/squidguard_configurator.inc
    

    In the "# –- ACL ---" section you'll need to modify the two occurrences (a bit under "# ontime" & "# overtime") of

    $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
    

    to be

    $sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
    

    There are two identical edits that should probably be made under "# –- Default ---".

    All this does is make the resulting SG configuration file tell SG to use 302 redirects instead of 301.  I've sent an email off to the SG maintainer listed in the package xml with a link to this post.  He may or may not integrate the above suggestion.



  • Nice debug. Congratulations! :)

    You can also Pull this request via github.



  • Hi i tried what you said but it didn't helped me, but if clear the cache it does works.
    thanks. I have highlighted the change that i made i hope i did right.
    please suggest

    ontime

    $sg_acltag->items[] = "pass {$acl[F_DESTINATIONNAME]}";
                    if ($acl[F_RMOD] != RMOD_NONE)
                    # $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
                    $sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);

    # overtime
                    if ($acl[F_TIMENAME]) {
                        $sg_acltag->items[] = "} else {";
                        $sg_acltag->items[] = "pass {$acl[F_OVERDESTINATIONNAME]}";
                        if ($acl[F_REDIRECMODE] !== RMOD_NONE)
                            # $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD]);
                          $sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD])

    –- Default ---

    $sg_tag_def = new TSgTag;
        $sg_tag_def->set("default", "", "", "");
        $def = $squidguard_config[F_DEFAULT];
        sg_addlog("sg_create_config", "Add Default", SQUIDGUARD_INFO);
        if ($def) {
            $temp_str = '';

    # delete blacklist entries from 'pass' if blacklist disabled
            if ($squidguard_config[F_BLACKLISTENABLED] !== 'on')
                acl_remove_blacklist_items(&$def[F_DESTINATIONNAME]);

    # not allowing IP in URL
            if ($def[F_NOTALLOWINGIP])
                $def[F_DESTINATIONNAME] = "!in-addr " . $def[F_DESTINATIONNAME];

    # re-order acl pass (<allow><deny<all|none>)
            $def[F_DESTINATIONNAME] = sg_aclpass_reorder($def[F_DESTINATIONNAME]);

    # ! 'Default' must use without times !
            $sg_tag_def->items[] = "pass {$def[F_DESTINATIONNAME]}";
            if ($def[F_RMOD] !== RMOD_NONE)
              $sg_tag_def->items[] = "redirect " . "302:" .  sg_redirector_base_url($def[F_REDIRECT], $def[F_RMOD]);
            if ($def[F_REWRITENAME])
                $sg_tag_def->items[] = "rewrite {$def[F_REWRITENAME]}";
            if ($squidguard_config[F_ENABLELOG] == 'on' ) {
                if ($def[F_LOG])
                    $sg_tag_def->items[] = "log " . SQUIDGUARD_LOGFILE;
            }
        } # <- if def
        else {
            $msg =  "ACL 'default' is empty, will use default 'block all'";
            $sg_tag_def->items[] = "# $msg";
            $sg_tag_def->items[] = "pass none";
          $sg_tag_def->items[] = "redirect " . "302:" . sg_redirector_base_url('', RMOD_INT_ERRORPAGE);
            sg_addlog("sg_create_config", "$msg.", SQUIDGUARD_ERROR);
        }</deny<all|none></allow>

    thanks
    kalu



  • Hello everyone!

    I'm from Brazil, so if my english is a little bad, forgive me.

    I've tested those suggested modifications on the file "squid_configurator.inc" and even modifying others arguments and attributes nothing went right.

    On my situation the only problem is with the browser cache.

    I needed to solve this right away so I said to users on the network to push F5 when a Website appears to be blocked. So far it's working but if you have any other things to try, just say.



  • there is no bug about that! the problem is how to redirect, don't need to change the file "squid_cofigurator.inc"
    as someone else said the "code" cache is 301 for permanent and 302 for temporary!

    you can see in the "squid_cofigurator.inc" file on line 1200

    "case RMOD_EXT_FOUND: $ rdr_path =" 302: $ rdr_info "break;"

    to use it you need to set, "Redirect mode: "ext url = found (enter URL)"

    using that it will included as "302:redirect" in your configuration and work normally!




  • Caching problem not have nothing to do with this "bug"

    H2wk tried a new clean install of 2.0 and all work so i fixed removing and reinstalling squid and squidguard packages.
    Config not even touched during this "work", on reinstall is automatically restored and now all work as expected

    for the brazilian guy: i use dmeneze Redirect mode: "ext url" on my config, like dmenezes suggest, and not have big trouble with cache. only 1/2 times some crap browser/computer have some cache issue, but i'm not sure my oldoldold config use "ext url" when appen time ago.



  • I'll see if this redirection mode is activated on my server and post here later.

    About the "crap" computer, I desagree, the issue here is with Browsers… Firefox and Internet Explorer do this... Google Chrome does not... another fact I've found.



  • Hi Again!

    It worked! Change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)".

    The problem with the Browser cache was solved.

    Thanks for the help!



  • @LFCavalcanti:

    Hi Again!

    It worked! Change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)".

    The problem with the Browser cache was solved.

    Thanks for the help!

    How to change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)". In which files and section? I can't find this line.



  • It's a gui option, not a file hack.



  • i have again the same issue

    nothing is changed on squidguard but now i can't use webpages on offtime.
    same apply (or restart squidguard) behaviour



  • Hi!

    Like Marcelloc said… this option is in the GUI.

    Common ACL and Group ACL in both this option is avaliable.



  • Hi mila76

    I've 7 servers in production environments right now with this configuration even with Squid authenticating on Active Directory(Windows Server 208).

    Let's do a step to step:
    1 - Install a clean PFSense 2.0 RELEASE
    2 - Install both Squid and SquidGuard
    3 - Before everything: Download and update the SquidGuard BlackList, I suggest URL BlackList or Shalla List… your choice.
    4 - I'll assume that you know how to implement and manage the options on cache and acces tabs of Squid Configurations and the concept of Proxy.
    5 - Bring Squid Online with the configuration you want.
    6 - Bring SquidGuard online
    7 - Set the common ACL as you desire and in the bottom of the page set the Redirect Mode as "Ext URL Found", put some URL... could be a Webpage or a HTML file hosted on a webserver in your Intranet.
    8 - Go to General tab on Squidguard configuration then click on save and after click on apply.

    I've a much more complex configuration on my Servers so it will be hard to explain.
    Above are the basics and I hope that will help you.



  • Follow your instruction of ext url found but still page is not blocking Pls Help



  • @mila76:

    i used squidguard in 1.2x to 2.0rc whiteout any issue. My config use whitelist, and times.

    After upgrade to 2.0 (if squidguard upgrade too or only reinstall i don't know for sure) i have strange issue.
    Times don't work anymore, and i can't understand why.
    I check my config but nothing strange is come out.

    Bug in squidguard binary? bug in config generations? I can't figure out.

    If i click apply on off time (es from 12 to 13) all affected computer ignore whitelist (correct), but after 13 whitelist remain ignored (wrong).
    If i click apply on on time (es after 13) all affected computer use whitelist (correct), but again, in offtime whitelist remains (wrong).

    prior 2.0 final i have no issue at all

    please help me to figure out this problem :(

    same problem, my boss wants me fired because I can not automatically block facebook! nobody has any idea to solve?
    ???



  • You can workaround this restarting or reloading squidguard every day or at specific times.

    To handle cron schedules using gui, install cron package.



  • Thanks I want test it…
    I have install Cron Package..
    what is the command to reload squidquard to add in the Cron table?

    thanks in advance!



  • Hi, it work for now, thanks for your help.. with Cron and this command schedule every day:
    /usr/local/sbin/squid -k shutdown 
    /usr/local/sbin/squid

    restarting squid by night, the acl time based work fine without press "apply" in time or offtime to pass or block

    then with a alias with IP + apps.facebook.com and a schedule rule also https facebook access is possible only in pause time..

    only problem left is to cache browser that is not resolved also changing the squidguard_configurator.inc file but not a serious problem



  • @spillek:

    Hi, it work for now, thanks for your help.. with Cron and this command schedule every day:
    /usr/local/sbin/squid -k shutdown 
    /usr/local/sbin/squid

    restarting squid by night, the acl time based work fine without press "apply" in time or offtime to pass or block

    then with a alias with IP + apps.facebook.com and a schedule rule also https facebook access is possible only in pause time..

    only problem left is to cache browser that is not resolved also changing the squidguard_configurator.inc file but not a serious problem

    great workaround.
    it's save my time a lot. i should no click apply button for every "time" and "off-time" any more…  ;D



  • but i'm still curious about how to restart squidguard properly without restarting squid.
    what is script that button apply use at squidguard page?



  • @makan:

    but i'm still curious about how to restart squidguard properly without restarting squid.
    what is script that button apply use at squidguard page?

    In my experience a cronjob with "squid -k reconfigure" is enough, it will not kill squid and is enough to workaround the time problem.

    i did a ps -aux | grep squid on shell and got

    proxy  5813  0.0  0.1  9012  2612  ??  SN    1:06PM  0:02.27 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
    proxy  5903  0.0  0.1  9012  2612  ??  IN    1:06PM  0:00.21 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
    proxy  6195  0.0  0.1  9012  2612  ??  IN    1:06PM  0:00.08 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
    root  55758  0.0  0.1 15248  4652  ??  INs  12:56PM  0:00.00 /usr/local/sbin/squid -D

    as you can also see in "proxy server" configuration, squidguard is configured as a redirect program inside squid, not a deamon itself. I only know about pfsense, that i know nothing about pfsense so i may be wrong, but that's what i conclude.



  • of course you need to make a cronjob with "/usr/local/sbin/squid -k reconfigure", got an pm to this, so, well you always need the full path in a cron job


Log in to reply